Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.



How to Build a Fourth-Party Vendor Inventory

CPE Credit Eligible

Available on
Listen-on-Apple-Podcasts-badge.jpg  google-play-badge 2.jpg

Be better prepared to manage third-party risk with a fourth-party vendor inventory.

Building a fourth-party vendor inventory can be challenging, but it's crucial to protect your organization from an extensive risk landscape. This podcast explains how to build a fourth-party vendor inventory and tips to keep in mind.

You may also be interested in:


Podcast Transcript

Hi, this is Kelly Vick with Venminder.


In this podcast, you'll learn some tips on how to build a fourth-party vendor inventory. We’ll cover how to identify your organization's most important fourth parties and understand how they should be handled in your vendor risk management program.

Here at Venminder, our team of vendor risk management experts help organizations of all sizes and industries build, implement, and maintain vendor risk management programs every day.

Vendor risk management generally involves vendors directly providing products and services to your organization, but have you thought about those other businesses that are supporting your vendors? 

Your third parties' vendors, or subcontractors, are considered your fourth parties, and it's essential to identify them as they can expose your organization to risk. To adequately address fourth-party risk, you have to first identify them, so you know exactly where to focus your attention. 

However, you don’t need to identify every single fourth party. Instead, you'll want to identify the fourth parties that expose you to the most risk. Although you don't have a direct contract with these fourth parties, there are steps you can take to protect your organization. 

So, let’s cover three simple ways to identify your critical fourth-party vendors: 

  1. First is to start with your critical vendors. A critical vendor is one that can have a serious impact on your organization or customers if they were to fail or suffer a prolonged outage. By identifying critical vendors, you’re one step closer to understanding who your critical fourth parties are.  
  2. Second, request that your critical vendors disclose their third-party vendors or subcontractors who are essential in providing services and products to your organization. 
  3.  And finally, a great method to discover high-risk fourth parties are through your third party's SOC 2 Type II report. As part of this report, your third party is required to disclose its "subservice organizations," which are essentially vendors that carry out processes or controls that are part of the third party's service delivery to customers. If necessary, enlist a qualified subject matter expert to assist in interpreting the SOC report.

Once you’ve identified your critical relationships, review the fourth parties of any high-risk relationship involved in accessing, processing, transmitting, or storing sensitive information or anything with material regulatory impacts, or any relationship with significant financial investments.

Now, let’s consider some information to include in your fourth-party inventory:

  • First, you’ll want to include details on the third-party relationship and the product or service the fourth party is providing, and the physical location of the fourth party. This offers greater insight into the types of risk involved with the fourth party. 
  •  Second, identify any concentration risk that might exist in your fourth-party inventory. Concentration risk might occur if you discover that any of your fourth parties are working with more than one of your third-party vendors. Consider the impact if a single fourth party were to shut down and impact several of your critical vendors. This would create significant operational disruptions for your organization, so it's essential to know where this risk occurs.

Now that you know how to build a fourth-party inventory, it's important to understand how to use the information to enhance your vendor risk management program. 

Two tips to keep in mind are:

  1. One, remember to maintain your inventory as much as possible, so the data is useful and reportable. This should involve keeping third-party SOC reports current and obligating third parties to alert you or request your approval before making any changes to their subcontractors.
  2. And secondly, it's important to make sure your third parties have established their own vendor risk management activities. Although you can't manage your fourth parties directly, you should obligate your third party to meet certain standards, such as performing regular due diligence, managing and resolving issues, and monitoring their vendors' performance.

Building a fourth-party inventory can be a challenging skill to master, but one that's important to protect your organization from an extensive risk landscape. Maintaining awareness and visibility into your vendor inventory will leave you better prepared to effectively manage third-party risk.

Thanks for tuning in; Catch you next time!


Subscribe to our Third Party Thursday Newsletter

Receive weekly third-party risk management news, resources, and more to your inbox.


New Call-to-action

Ready to Get Started?

Schedule a personalized solution demonstration to see how Venminder can transform your vendor risk management processes.

Request a Demo